Last fall, one Huffington Post headline read: “White House Hacked In Cyber Attack That Used Spear-Phishing To Crack Unclassified Network.”
Earlier this year, the Federal Times led with the article: Feds’ chief cyberthreat: spear phishing attacks. They described it this way: “The weapon of choice for most cyber hackers is a malicious email disguised as a friendly email.”
Yes, spear phishing is hot all over the USA – very hot.
In March 2013, Allan Paller, director of research at the SANS Institute, said that 95% of all attacks on enterprise networks are the result of successful spear phishing.
And this cyberthreat goes back a ways. Pop quiz…
When did spear phishing become such a big problem – even reaching “epidemic” proportions?
(The answer is at the end of this blog – but it wasn’t in 2012).
Spear phishing is cyber fraud that targets a specific organization, seeking unauthorized access to confidential data. While most spear phishing attempts come via email, other social media messages are often used to get users to click on links.
What does spear phishing look like? Over the past few months, the State of Michigan employees have received emails that look “official” but are in reality spear phishing attempts. That is, they appear to come from trusted sources and look as if they are written as work-related - specifically for state government employees.
These hostile messages got around our spam filter and ended up in user mailboxes. One messages was very convincing and appeared to be from our internal help desk or customer support organization. For example, the email read: “Your mailbox is full, but we can help. If you click on this link and answer a few questions, we’ll reset your account.”
If one case, an email was sent to several thousand employees. When an end user clicked on the link, a screen popped up asking for account details and password information. Sadly, many employees took the bait, clicked on the link and sent in their computer account details.
Fortunately, we were ready. Our security and technology teams activated procedures to reset passwords and ensure that accounts were not compromised. If account information was compromised (with username and password falling into the wrong hands), that information could be used to cause a breach of sensitive information contained in government databases.
In one case, we had to reset passwords for over a thousand user accounts as a result of a spear phishing attack. And we have seen several smaller spear phishing incidents this year as well.
How Frequent is Spear Phishing?
And this is not unique to Michigan. Remember, the South Carolina breach started with a spear phishing attack.
A few weeks back, the MS-ISAC held a “Hot Topics” webcast for government members only. The topic was dealing with spear phishing, and many recent examples were shared from all over the country. What was clear is that spear phishing attacks are happening more than ever before. Examples from Delaware, Arkansas, Washington State and Michigan were given, and many attendees shared stories from other states as well. (State and local government members can access the taped webcast on the MS-ISAC portal.)
What is clear is that, despite the fact that spear phishing has been around for a while, this issue needs to be addressed as a higher priority for the public and private sectors - now. Whether you are in a small or large organization, these constantly refined spear phishing techniques are becoming more and more targeted to unique organizations. Sometimes, the emails even use logos or language which comes straight from technology and security teams.
What Can Be Done to Help?
There is no doubt that stopping spear phishing is not a “sexy” topic or thought of as especially difficult to solve by most cybersecurity pros – at least not initially. Spam emails, bank email phishing campaigns and spear-phishing have been around for years. The current tendency is to do a bit of training, put anti-spam or anti-phishing technologies in place and just hope for the best. But is that enough?
Many organizations also have a suspected email fraud mailbox – and this can be an effective tool. (The State of Michigan has one of these and gets hundreds of emails a month sent to the mailbox.) That is, end-users can send suspected bad emails to a specific email address and a team of experts with tools determine if the message is legit.
Back in 2007, SANS listed some steps that end users can take to combat spear phishing – most of which still apply today.
Jason Clark, a respected colleague and CSO of Websense wrote this article back in December 2012 listing eleven tips that enterprises can take to help. Here is an excerpt:
1. Inbound email sandboxing:
Deploy a solution that checks the safety of an emailed link when a user clicks
on it. This protects against a new phishing tactic that I've seen from
cybercriminals. Bad guys send a brand new URL in an email to their targets to
get through the organization's email security. The other tactic is when they
inject malicious code into the website right after delivery of the email URL.
This URL will get past any standard spam solution.
2. Real-time analysis and inspection of your
First, stop malicious URLs from even getting to your users' corporate inboxes
at your gateway. Even if you have inbound email sandboxing for your corporate
email, some users might click on a malicious link through a personal email
account, like Gmail. In that case, your corporate email spear-phishing
protection is unable to see the traffic. Bottom line: your web security gateway
needs to be intelligent, analyze content in real time, and be 98 percent
effective at stopping malware.
3. Employee behavior:
The human element is incredibly important. Many CSOs that I've spoken with are
adopting employee testing programs with Phishme.com (Editor's note: Clark is on
the executive board of PhishMe Inc.), and do this training on-going basis. The
result isn't really employee education or security awareness —it's behavior
modification. See my five employee behavior tips below.
So when did all of this spear phishing first become such a big issue? It has been a major problem since at least 2005 (answer d). A techspot.com article stating: “Spear phishing reaches epidemic levels” was released in 2005.
No doubt – we’re seeing even more examples in government in 2013. So if you aren’t dealing with spear phishing wherever you are working – perhaps you are not looking in the right places. Government security pros must be ready, have a plan and take action.
Any spear phishing stories to tell?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.